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EXAMINER'S AMENDMENT 



1. An examiner's amendment to the record appears below. Should the changes and/or 
additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the 
payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview with 
Steven Greenberg on 2/1 7/06. 

Amendment of Claims 

1 . A method of preventing a flooding attack on a network server in which a large 
number of requests are received for connection to a particular port number on the server, 
comprising: 

recognizing a particular host connecting to the port number on the server; 
calculating a number of connections to the port attributed to the host; 
determining, in response to a request from the host for a connection to the port, if the 
number of connections to the port attributed to the host exceeds a prescribed threshold, and, if so, 
denying the request for a connection. 
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5. Apparatus for preventing a flooding attack on a network server in which a large 
number of requests are received for connection to a particular port number on the server, 
comprising: 

means for recognizing a particular host connecting to the port number on the server; 
means for calculating a number of connections to the port attributed to the host; 
means for determining, in response to a request from the host for a connection to the port, 
if the number of connections to the port attributed to the host exceeds a prescribed threshold, and 
means responsive to the determining means for denying the request for a connection. 

9. A storage media containing program code segments for preventing a flooding attack 
on a network server in which a large number of requests are received for connection to a 
particular port number on the server, comprising: 

a first code segment activated to recognize a particular host connecting to the port 
number on the server; 

a second code segment to calculate a number of connections to the port attributed to the 

host; 

a third code segment activated in response to a request from the host for a connection to 
the port for determining if the number of connections to the port attributed to the host exceeds a 
prescribed threshold, and 

a fourth code segment responsive to the third code segment for denying the request for a 
connection. 
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10. The media of claim 9 in which the second code segment further comprises: 

a fifth code segment for overriding the denial and allowing the request if a quality of 
service parameter pertaining to the requesting host permits the override. 

1 1 . The media of claim 10 further comprising a sixth code segment for denying a 
connection request in any event if the number of available connections to the port are less than a 
constrained threshold. 

12. The media of claim 9 or claim 10 or claim 1 1 further comprising: 

a seventh code segment for calculating the prescribed threshold by multiplying a 
percentage P by the number of available connections remaining for the port. 

13. A carrier wave containing program code segments for preventing a flooding attack 
on a network server in which a large number of requests are received for connection to a port 
number on the server, comprising: 

a first code segment activated to recognize a particular host connecting to the port 
number on the server; 

a second code segment to calculate a number of connections to the port attributed to the 

host; 

a third code segment activated in response to a request from the host for a connection to 
the port for determining if the number of connections to the port attributed to the host exceeds a 
prescribed threshold, and 
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a fourth code segment responsive to the third code segment for denying the request for a 
connection. 

14. The carrier wave of claim 13 in which the second code segment further comprises: 
a fifth code segment for overriding the denial and allowing the request if a quality of 

service parameter pertaining to the requesting host permits the override. 

15. The carrier wave of claim 14 further comprising a sixth code segment for denying a 
connection request in any event if the number of available connections to the port are less than a 
constrained threshold. 

16. The carrier wave of claim 13 or claim 14 or claim 15 further comprising: 

a seventh code segment for calculating the prescribed threshold by multiplying a 
percentage P by the number of available connections remaining for the port. 



Reasons for Allowance 



2. Applicant's independent claims recite the limitation, 



• "Recognizing a particular host connecting to the port number on the server" 
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Previously, the Examiner rejected the independent claims using Schuba, US patent, 6725378. 

Schuba (Column 4, lines 53-67) detects if a particular maximum number of connections have 
been reached per port. If it is determined that the maximum number of connections on that port 
has been reached, Schuba will discard all further connections per port. 

Schuba however fails to disclose a particular recognition of the connections coming about from a 
singular host. Instead, Schuba performs a blanket operation where all further connections to the 
port are sealed off, rather than denying the request for a connection to the port from an attributed 
and "recognized" host. 

A rejection based on Pars Mutaf "Defending against a Denial of Service Attack on TCP" was 
also previously made. 

Mutaf, page 6, discloses a detection of an attack where if the number of received SYN segments 
per second by a given TCP port exceeds a maximum or prescribed threshold, the network 
monitor is to consider the event an attack. 

Mutaf additionally fails to recite an explicit "recognition" of the attack arising from an identified 
host, and only identifies the attack based on the threshold of the port, rather than the two aspect 
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analysis of recognizing the host and determining if the number of connections exceeds a 
threshold. 

Mutaf and Schuba have been identified as the Examiner as the closest art of record, both of them 
deficient on the limitation of "Recognizing a particular host connecting to the port number on the 
server". Indeed, the fact that Schuba and Mutaf suffer from the same deficiency appears to speak 
of a en explicit and reasonably well identified boundary on the current state of the art regarding 
"Denial of Service" identification and flooding attack protection. 

For this reason, the Examiner has withdrawn all rejections, and has allowed the pending claims. 



Conclusion 

3. Any inquiry concerning this communication from the examiner should be directed to 
Thomas M Ho whose telephone number is (703)305-8029. The examiner can normally be 
reached on M-F from 8:30 AM - 5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Gregory A. Morse can be reached on (703)308-4789. The fax phone numbers for the 
organization where this application or proceeding is assigned are (703)746-7239 for regular 
communications and (703)746-7238 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding should 
be directed to the receptionist whose telephone number is (703)306-5484. 
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